The federal privacy regulator discovered that Staples Canada failed to completely erase personal data from returned laptops before reselling them. According to the Office of the Privacy Commissioner of Canada, an examination of laptops returned to four Staples stores in Ontario revealed that 23% of the devices contained personal details such as names, email addresses, account information, email snippets, and partial facial images.
As a result of this finding, Staples has been given a nine-month timeframe to establish clear guidelines for data erasure, enhance employee training, and engage an independent third party for annual spot checks on returned devices. The investigation was initiated after a former Staples employee raised concerns about laptops not being properly wiped before resale.
The complainant reported instances where laptops stored previous owners’ usernames and passwords, and in one case, a laptop was resold with personal information still present from the previous user. This incident echoes a past audit conducted in 2011, indicating that similar issues persisted over a 15-year period despite previous scrutiny by the commissioner.